[asterisk-commits] russell: branch group/security_events r199734 - /team/group/security_events/m...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Jun 9 07:31:15 CDT 2009
Author: russell
Date: Tue Jun 9 07:31:11 2009
New Revision: 199734
URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199734
Log:
Report invalid request formatting events for AMI, add one more request not allowed event
Modified:
team/group/security_events/main/manager.c
Modified: team/group/security_events/main/manager.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/main/manager.c?view=diff&rev=199734&r1=199733&r2=199734
==============================================================================
--- team/group/security_events/main/manager.c (original)
+++ team/group/security_events/main/manager.c Tue Jun 9 07:31:11 2009
@@ -1891,6 +1891,36 @@
ast_security_event_report(AST_SEC_EVT(&req_not_allowed));
}
+static void report_req_bad_format(const struct mansession *s, const char *action)
+{
+ struct sockaddr_in sin_local = { 0, };
+ struct ast_str *session_id = ast_str_alloca(32);
+ struct ast_str *request_type = ast_str_alloca(64);
+ struct ast_security_event_req_bad_format req_bad_format = {
+ .common.event_type = AST_SECURITY_EVENT_REQ_BAD_FORMAT,
+ .common.version = AST_SECURITY_EVENT_REQ_BAD_FORMAT_VERSION,
+ .common.service = "AMI",
+
+ .account_id = s->session->username,
+ .session_tv = &s->session->sessionstart_tv,
+ .local_addr = {
+ .sin = mansession_encode_sin_local(s, &sin_local),
+ .transport = mansession_get_transport(s),
+ },
+ .remote_addr = {
+ .sin = &s->session->sin,
+ .transport = mansession_get_transport(s),
+ },
+ };
+
+ ast_str_set(&session_id, 0, "%p", s->session);
+ req_bad_format.session_id = ast_str_buffer(session_id);
+
+ ast_str_set(&request_type, 0, "Action: %s", action);
+ req_bad_format.request_type = ast_str_buffer(request_type);
+
+ ast_security_event_report(AST_SEC_EVT(&req_bad_format));
+}
/*
* Here we start with action_ handlers for AMI actions,
* and the internal functions used by them.
@@ -3716,6 +3746,7 @@
ast_copy_string(action, __astman_get_header(m, "Action", GET_HEADER_SKIP_EMPTY), sizeof(action));
if (ast_strlen_zero(action)) {
+ report_req_bad_format(s, "NONE");
mansession_lock(s);
astman_send_error(s, m, "Missing action in request");
mansession_unlock(s);
@@ -3723,6 +3754,9 @@
}
if (!s->session->authenticated && strcasecmp(action, "Login") && strcasecmp(action, "Logoff") && strcasecmp(action, "Challenge")) {
+ if (!s->session->authenticated) {
+ report_req_not_allowed(s, action);
+ }
mansession_lock(s);
astman_send_error(s, m, "Permission denied");
mansession_unlock(s);
@@ -3732,6 +3766,7 @@
if (!allowmultiplelogin && !s->session->authenticated && user &&
(!strcasecmp(action, "Login") || !strcasecmp(action, "Challenge"))) {
if (check_manager_session_inuse(user)) {
+ /* XXX Session limit */
sleep(1);
mansession_lock(s);
astman_send_error(s, m, "Login Already In Use");
@@ -3762,10 +3797,10 @@
ret = call_func(s, m);
} else {
char buf[512];
+ report_req_bad_format(s, action);
snprintf(buf, sizeof(buf), "Invalid/unknown command: %s. Use Action: ListCommands to show available commands.", action);
mansession_lock(s);
astman_send_error(s, m, buf);
- /* XXX Request bad format */
mansession_unlock(s);
}
if (ret) {
More information about the asterisk-commits
mailing list